k8s.io/kubernetes@v1.29.3/test/e2e/lifecycle/bootstrap/bootstrap_signer.go (about) 1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package bootstrap 18 19 import ( 20 "context" 21 22 "github.com/onsi/ginkgo/v2" 23 24 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 25 clientset "k8s.io/client-go/kubernetes" 26 bootstrapapi "k8s.io/cluster-bootstrap/token/api" 27 "k8s.io/kubernetes/test/e2e/feature" 28 "k8s.io/kubernetes/test/e2e/framework" 29 "k8s.io/kubernetes/test/e2e/lifecycle" 30 admissionapi "k8s.io/pod-security-admission/api" 31 ) 32 33 const ( 34 // TokenIDBytes is the length of the byte array to generate tokenID. 35 TokenIDBytes = 3 36 37 // TokenSecretBytes is the length of the byte array to generate tokenSecret. 38 TokenSecretBytes = 8 39 ) 40 41 var _ = lifecycle.SIGDescribe(feature.BootstrapTokens, func() { 42 43 var c clientset.Interface 44 45 f := framework.NewDefaultFramework("bootstrap-signer") 46 f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged 47 ginkgo.AfterEach(func(ctx context.Context) { 48 if len(secretNeedClean) > 0 { 49 ginkgo.By("delete the bootstrap token secret") 50 err := c.CoreV1().Secrets(metav1.NamespaceSystem).Delete(ctx, secretNeedClean, metav1.DeleteOptions{}) 51 framework.ExpectNoError(err) 52 secretNeedClean = "" 53 } 54 }) 55 ginkgo.BeforeEach(func() { 56 c = f.ClientSet 57 }) 58 59 ginkgo.It("should sign the new added bootstrap tokens", func(ctx context.Context) { 60 ginkgo.By("create a new bootstrap token secret") 61 tokenID, err := GenerateTokenID() 62 framework.ExpectNoError(err) 63 secret := newTokenSecret(tokenID, "tokenSecret") 64 _, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(ctx, secret, metav1.CreateOptions{}) 65 secretNeedClean = bootstrapapi.BootstrapTokenSecretPrefix + tokenID 66 67 framework.ExpectNoError(err) 68 69 ginkgo.By("wait for the bootstrap token secret be signed") 70 err = WaitforSignedClusterInfoByBootStrapToken(c, tokenID) 71 framework.ExpectNoError(err) 72 }) 73 74 f.It("should resign the bootstrap tokens when the clusterInfo ConfigMap updated", f.WithSerial(), f.WithDisruptive(), func(ctx context.Context) { 75 ginkgo.By("create a new bootstrap token secret") 76 tokenID, err := GenerateTokenID() 77 framework.ExpectNoError(err) 78 secret := newTokenSecret(tokenID, "tokenSecret") 79 _, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(ctx, secret, metav1.CreateOptions{}) 80 framework.ExpectNoError(err) 81 secretNeedClean = bootstrapapi.BootstrapTokenSecretPrefix + tokenID 82 83 ginkgo.By("wait for the bootstrap token secret be signed") 84 err = WaitforSignedClusterInfoByBootStrapToken(c, tokenID) 85 framework.ExpectNoError(err) 86 87 cfgMap, err := f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(ctx, bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{}) 88 framework.ExpectNoError(err) 89 signedToken, ok := cfgMap.Data[bootstrapapi.JWSSignatureKeyPrefix+tokenID] 90 if !ok { 91 framework.Failf("expected signed token with key %q not found in %+v", bootstrapapi.JWSSignatureKeyPrefix+tokenID, cfgMap.Data) 92 } 93 94 ginkgo.By("update the cluster-info ConfigMap") 95 originalData := cfgMap.Data[bootstrapapi.KubeConfigKey] 96 updatedKubeConfig, err := randBytes(20) 97 framework.ExpectNoError(err) 98 cfgMap.Data[bootstrapapi.KubeConfigKey] = updatedKubeConfig 99 _, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Update(ctx, cfgMap, metav1.UpdateOptions{}) 100 framework.ExpectNoError(err) 101 defer func() { 102 ginkgo.By("update back the cluster-info ConfigMap") 103 cfgMap, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(ctx, bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{}) 104 framework.ExpectNoError(err) 105 cfgMap.Data[bootstrapapi.KubeConfigKey] = originalData 106 _, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Update(ctx, cfgMap, metav1.UpdateOptions{}) 107 framework.ExpectNoError(err) 108 }() 109 110 ginkgo.By("wait for signed bootstrap token updated") 111 err = WaitForSignedClusterInfoGetUpdatedByBootstrapToken(c, tokenID, signedToken) 112 framework.ExpectNoError(err) 113 }) 114 115 ginkgo.It("should delete the signed bootstrap tokens from clusterInfo ConfigMap when bootstrap token is deleted", func(ctx context.Context) { 116 ginkgo.By("create a new bootstrap token secret") 117 tokenID, err := GenerateTokenID() 118 framework.ExpectNoError(err) 119 secret := newTokenSecret(tokenID, "tokenSecret") 120 _, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(ctx, secret, metav1.CreateOptions{}) 121 framework.ExpectNoError(err) 122 123 ginkgo.By("wait for the bootstrap secret be signed") 124 err = WaitforSignedClusterInfoByBootStrapToken(c, tokenID) 125 framework.ExpectNoError(err) 126 127 ginkgo.By("delete the bootstrap token secret") 128 err = c.CoreV1().Secrets(metav1.NamespaceSystem).Delete(ctx, bootstrapapi.BootstrapTokenSecretPrefix+tokenID, metav1.DeleteOptions{}) 129 framework.ExpectNoError(err) 130 131 ginkgo.By("wait for the bootstrap token removed from cluster-info ConfigMap") 132 err = WaitForSignedClusterInfoByBootstrapTokenToDisappear(c, tokenID) 133 framework.ExpectNoError(err) 134 }) 135 })